SonicOS SSL-VPN Authentication Bypass Vulnerability
SonicOS SSL-VPN Authentication Bypass Vulnerability
SonicOS SSL-VPN Authentication Bypass Vulnerability
Information:
SonicWall devices are widely deployed as perimeter security solutions. Positioned at the network's edge, these devices are highly exposed, making them prime targets for threat actors, who often scan for these exposed interfaces to exploit vulnerabilities or misconfigurations.
Exploiting vulnerabilities in SonicWall devices can provide threat actors with internal network access, positioning them to conduct follow-on attacks, including ransomware deployment. Recent reports reveal active exploitation of previous SonicWall vulnerabilities by ransomware groups like Akira and Fog.
Incident:
On January 7th, SonicWall released a product security advisory detailing several vulnerabilities including a high severity flaw in the SSL-VPN authentication mechanism which could allow a remote attacker to bypass authentication.
Identified as CVE-2024-53704, this high-severity Authentication Bypass vulnerability has a CVSS score of 8.2. It affects SonicWall firewall versions 6 and 7. SonicWall recommends users upgrade to the latest version.
Exploitation of CVE-2024-53704 could severely impact an organization's network, leading to unauthorized access and data breaches. Attackers may gain unauthorized access to the system, leading to the theft of sensitive information such as customer data, documents, or financial records.
Furthermore, attackers could modify system configurations, increasing the risk of service disruption. Additionally, the compromised system could be used as a base for lateral movement, allowing attackers to expand their reach to other parts of the network. This could result in sustained and more severe attacks.
SonicWall states in their advisory that no active exploitation of these vulnerabilities has been reported but that patching immediately is important to prevent exploitation.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
Recommendation:
- Upgrade the SonicOS firmware to the latest version that addresses the vulnerability to prevent attacks.
- Restrict access to SSL VPN and SSH Management functions to trusted sources only.
- Strengthen system security by enabling Multi-Factor Authentication (MFA) to mitigate unauthorized access. to prevent unauthorized access.
References :
- https://nvd.nist.gov/vuln/detail/CVE-2024-53704
- https://cert.be/en/advisory/warning-multipe-vulnerabilities-sonicwall-patch-immediately
- https://www.blumira.com/blog/sonicwall-discloses-multiple-vulnerabilities-including-a-high-severity-authentication-bypass-flaw
Weekly Interesting CVE
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2024-41767 |
4/1/2025 |
4/1/2025 |
IBM Engineering Lifecycle Optimization - Publishing versions 7.0.2 and 7.0.3 |
SQL injection |
7.3 |
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. |
The vulnerability can be remediated by applying the following PUB 7.0.3 iFix010 or later iFixes. And PUB 7.0.2 iFix032 or later iFixes. |
https://app.opencve.io/cve/CVE-2024-41767 |
| 2 |
CVE-2024-12583 |
4/1/2025 |
4/1/2025 |
Dynamics 365 Integration all versions up to, and including, 1.3.23 |
Remote Code Execution |
9.9 |
The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. |
Update to version 1.3.24, or a newer patched version |
https://app.opencve.io/cve/CVE-2024-12583 |
| 3 |
CVE-2022-38156 |
12/6/2023 |
3/1/2025 |
Kratos SpectralNet device with SpectralNet Narrowband (NB) before 1.7.5 |
Remote Code Execution |
7.2 |
A remote command injection issues exists in the web server of the Kratos SpectralNet device with SpectralNet Narrowband (NB) before 1.7.5. As an admin user, an attacker can send a crafted password in order to execute Linux commands as the root user. |
recommends to update to version 1.7.5 |
|
| 4 |
CVE-2024-49112 |
10/12/2024 |
4/1/2025 |
Windows |
Remote Code Execution |
8.8 |
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
recommends to update to security patch for each windows version |
https://app.opencve.io/cve/CVE-2024-49112 |
| 5 |
CVE-2024-7971 |
21/8/2024 |
3/1/2025 |
Google Chrome prior to 128.0.6613.84 |
Remote Code Execution |
9.6 |
Type confusion in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
recommends to version to for each Google Chrome |
https://app.opencve.io/cve/CVE-2024-7971 |
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
Malicious Rspack, Vant packages published using stolen NPM tokens |
20/12/2024 |
Cryptocurrency, Information-Steal, Supply chain attack |
Researchers from Sonatype and Socket detected cryptocurrency mining activities using XMRig, originating from npm packages associated with the Rspack system. Upon further investigation, malicious code was found embedded in the @rspack/core package under the file support.js and the @rspack/cli package under the file config.js. These files functioned to communicate with C2 servers and external servers while secretly mining cryptocurrency, leading to increased CPU usage. Additionally, a script was installed at the path location /tmp/vant_helper. Moreover, the npm packages were exploited to steal access tokens or other credentials. The researchers discovered that these packages had already been downloaded over 400,000 times. Following this discovery, developers released patches to disable the versions containing the embedded malicious code. |
1.Keep software Rspack and Vant to lastest version 2.Deploy endpoint protection and network monitoring to detect exploitation attempts. |
20 January 2025
Viewed 43 time
